What the Flip

Disclaimer: The information below should by no means be taken as legal advice. We specialise in marketing, not legal matters. But we have done extensive research into GDPR and this is our understanding of how we need to comply and our recommendations to our clients. You!

What the flip does this blog post cover?

  1. What is GDPR?
  2. How Five + Dime are preparing for GDPR?
  3. A GDPR checklist
  4. Are you a processor or controller of data under GDPR?
  5. How to get data consent
  6. Conclusion

What is GDPR?

The acronym filtering through many conversations and your inboxes at the moment is GDPR. But seriously what does it even mean? Well, that’s why we're here, GDPR stands for General Data Protection Regulation (what a mouthful). Formally this regulation was put together in order to harmonize data privacy laws across Europe. Ultimately it protects and empowers all EU citizens data privacy and reshapes the way organisations approach data privacy. Still unsure? Put simply GDPR will protect European citizens personal data, this also includes the export of personal data outside the EU.

If your organisation doesn’t hold any EU citizens data you’re fine for now but it’s always good to have a clean nose and keep up the good practice.

Oh and most importantly this regulation comes into effect on the 25th May 2018
(aka this Friday)

What the flip does GDPR mean for you as an individual?
It means you have a say in what happens with your data - about time. We as individuals have the right to be forgotten and request our personal information be erased, stop the spreading of our data and halt third parties from processing our data.

What the flip does GDPR mean for you as a business who handles people's personal data
Organisations who handle any EU citizens data must comply with GDPR. Organisations who are data processors or controllers are under strict rules to make sure they comply. If they don’t fines and penalties up to €20 million euros or up to 4% of annual worldwide revenue whichever is higher will be issued depending on the infringement made. That’s some serious coin.

How the F+D crew is preparing for GDPR

As an agency, we have many clients who will need to comply with the new General Data Protection Regulation (GDPR). We need to make sure our clients are aware of the risks involved and understand what it is they need to do to comply.

We’ve done our research, read many articles, and have deep dived into GDPR and what it means from a marketing standpoint. However, we have found there is no checklist or examples of what exactly you should be doing as an organisation to comply with GDPR.

But don’t worry we have taken it upon ourselves to create a simple checklist and provide scenarios to make sure your business has the basics covered when it comes to protecting your clients' data.


GDPR: What do I need to do?

We've looked high and low and still haven't found a simple, actionable list of things to do to get ready for GDPR. This is our best effort at compiling some tips based on research we've done. Of course, we're not lawyers but hopefully you find this a good starting point. Have a chat to a lawyer or GDPR expert if you want to be crystal clear!

Get the downloadable GDPR cheat sheet here.

  1. Review and/or create a privacy policy relevant to your company.
  2. Change your data retention settings on Google Analytics. We’ve created a super simple step by step process so you can do this yourself. Pro Tip: You may need to do this kind of thing for other apps too – search your emails for "GDPR" and have a look through what you've been sent.
  3. Update all of your signup forms to explicitly ask for the user's consent to be communicated with (list each medium that you'll be communicated - e.g. email, direct mail), make it clear that the data can be removed and provide clear instructions for doing so (find an example below):
    "[company name] will use the information you provide in this form to [reason for contacting subscriber]. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from them, or by contacting them at [email address]. [Company name] will treat your information with respect. For more information about their privacy practices please visit [website]. By clicking below, you agree that we may process your information in accordance with these terms."
  4. Send an email out to your databases with an updated privacy policy and opt out option for further emails and/or promotions
  5. If your website uses third party cookies* (for example, if you use Google Analytics you will be) you need to make sure people using your website are aware that you are tracking cookies. You should have an enabled popup or banner on your site with a disclaimer to say ‘by using our website you agree to our privacy policy and for us to track your cookies’ (see image below).

*What is a third party cookie and how is it different from a first party cookie?
"Third-party cookies are cookies that are set by a website other than the one you are currently on." (Source: Cookie-Script.com).
Third party cookies can be used for lots of reasons. For example, publishers might use third party cookies to serve you content that is similar to other content you've viewed while you're browsing another website such as Facebook. Third party trackers you might be using could include... Facebook, Google Analytics, Google Adwords, LinkedIn, Twitter, DoubleClick, AdSense and many more.


Cookie popup banner

How the flip do you know if you’re a data processor or controller?

Scenarios: Controller vs Processor

The GDPR talks about “Data Processors” and “Data Controllers”. The regulation defines both of these terms (you can find the official definition in our GDPR Cheat Sheet glossary). But when you actually start looking at examples, it can be confusing to work out whether an organisation is a controller or a processor – and sometimes an organisation can be both!

Here are some super quick examples that might help you get the hang of it:

Example 1: Cool Company and their mass email tool
Cool Company uses MailChimp to send email updates to their subscribers every month. People can subscribe to these updates from Cool Company’s website via a MailChimp form.

In this scenario, it’s pretty simple. MailChimp can’t see the data coming into Cool Company’s MailChimp account, they’re only processing it. This data is ‘controlled’ by Cool Company. That means Mailchimp is the Data Processor and Cool Company is the Data Controller.


Example 2: Awesome Organisation and their advertising platform
Awesome Organisation uses Facebook Ads Manager to deliver ads to leads they have collected from a variety of sources. Their ad audience is a mix of people who have signed up to their newsletter, downloaded a PDF guide via Facebook lead forms, and anyone who has visited their website recently. Awesome Organisation also has their own Facebook profile, where their customers can engage with company updates.

Facebook is a really interesting example. Typically, Facebook is a Data Controller because it has direct users. For example, Awesome Organisation has their own Facebook company page. Having a page is similar to having a personal Facebook account, so in this relationship, Facebook is the Data Controller. Facebook determines how page and user data is used. But when a company uses Facebook Ads, that company becomes the data controller. They determine how the data is used, and Facebook processes the data.


Example 3: Amazing Agency advertising on behalf of Best Business
Best Business shares their online advertising accounts and email accounts with Amazing Agency. Amazing Agency run ads and sends emails on their behalf.

As an agency, you’re a controller of your client data but not a processor of your client’s data, it’s your responsibility to act in your client’s best interest.

How the flip do you get data consent?

Scenarios: Obtaining consent

Example 1
If you have 2,000 subscribers that you have built up over 5 years and you don’t remember how you signed them up, you’ll need to send them a new privacy policy with an option to opt-out to stop receiving communications from your business.

Example 2
If you’ve added a bulk email list to your database you’ll need to send opt-in email from an internal email address rather than a third party platform such as MailChimp to obtain consent for your organisation to email the individual communications.

Example 3
If you’re conducting a paper-based survey and asking for PII (personally identifiable information) i.e email address, name etc, you have to add consent and opt-out instructions in case they don’t want to receive communications from your business.

Example 4
If you use lead magnets and gated content strategies, make sure it's clear if the email adress/content value exchange means you'll be contacting them via email.

GDPR may seem like a daunting concept, but from our perspective it’s more about making sure you have good data processes in place for keeping both yours and your customers data more secure. It also gives the power back to the individual who has shared their data with you. We hope we have cleared a few questions up for you in regards to GDPR, but if you have further questions we’ll do our best to help. Otherwise, please get in touch with your lawyer to discuss what exactly your organisation needs to do to comply.

Want to hear more ramblings?
Sign up for updates